IPFS Server With Reverse Proxy & Restricted Public Gateway

This guide will provide detailed instructions on how to install an IPFS(InterPlanetary File System) node on a low cost VPS. A basic Nginx server is installed as a reverse proxy to allow public access to the IPFS gateway. The gateway will be configured to only serve files available locally on the node.

IPFS is an open source distributed system for storing and sharing data via a peer-to-peer network. The data is addressed based on a cryptographic hash of its content and not by its location. It can be used to host websites and serve data to applications.

An IPFS Gateway is an HTTP based service that allows browsers and applications access to IPFS content. A common situation is that you want to give public access to your data stored on your privately operated IPFS nodes. The default gateway allows users to request any IPFS file. If the file is not stored on the local gateway then it will go out and retrieve this file from the peer network. Due to legal concerns of unknown file contents and other issues like server resource limits it is desirable to limit users to only request files stored locally on your private nodes.

Nginx is an open source webserver that can also be configured for more advance applications such as load balancer, HTTP cache, and reverse proxy. We will use nginx as a basic reverse proxy.

A reverse proxy is a server that sits behind the firewall and will direct requests to the IPFS gateway. A reverse proxy is generally used to increase security and prevent unnecessary traffic being handled by the application. We will use it for basic routing of file requests to the IPFS gateway. IPFS also provides an API port which gives full read/write access to configure the node. Exposing full access to this API is dangerous. We will completely block access however Nginx could be used to provide authenticated or limited access to this api.

1. Install Ubuntu Server 20.04 with basic firewall

IPFS can be installed on a basic low cost VPS. For testing you can start with $5 Droplet from Digital Ocean.

  1. Launch droplet with Ubuntu 20.04
  2. Obtain latest versions of installed packages
    sudo apt update
  3. update all installed packages
    sudo apt upgrade
  4. Configure basic firewall allowing only SSH port
    sudo ufw allow 22
    sudo ufw enable
  5. Create new user and add to sudo group. Replace friends with your own username.
    sudo adduser friends && usermod -aG sudo friends
  6. Close SSH connection and login using new user

2. Install IPFS

  1. Download IPFS
    Go to IPFS’s distribution page and download the latest AMD-64 Linux Versions of go-ipfs. Currently the latest version is: v0.12.2. Modify the version number in the path and file name below:
    wget https://dist.ipfs.io/go-ipfs/v0.12.2/go-ipfs_v0.12.2_linux-amd64.tar.gz
  2. Extract
    tar -xvzf go-ipfs_v0.12.2_linux-amd64.tar.gz
  3. Run Install Script and confirm version that is installed.
    cd go-ipfs
    sudo bash install.sh
    ipfs --version
  4. Open libp2p swarm port (default is 4001)
    sudo ufw allow 4001

3. Initialize the IPFS Repository

Run IPFS with the non root user. Configure IPFS with the server profile. This will prevent IPFS from trying to discover other local IPFS nodes resulting in unnecessary traffic.

You will get an introduction message showing your peer identity and link to a help file.
ipfs init --profile server

4. Create a service for the IPFS daemon

The following link was used as reference for creating this service file. https://github.com/ipfs/go-ipfs/issues/1430

  1. Create service file
    sudo nano /etc/systemd/system/ipfs.service
  2. Edit and copy the following to the file. Replace friends with your username
Description=IPFS Daemon

ExecStart=/usr/local/bin/ipfs daemon --init --migrate

  1. Start IPFS
    sudo systemctl daemon-reload
    sudo systemctl start ipfs
  2. Enable auto-start on Reboot
    sudo systemctl enable ipfs

5. Install and configure Nginx as reverse proxy for Gateway

  1. Install nginx
    sudo apt install nginx
  2. Open port
    sudo ufw allow 80
  3. Point your browser to your server IP address and you should see the default Welcome to nginx! page.
  4. Backup nginx configuration file
    sudo mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default_back
  5. Create new configuration file
    sudo nano /etc/nginx/sites-available/default
  6. Copy the following to the file
server {
    listen 80;
    listen [::]:80;
    server_name your_domain_name.com;

    location /ipfs {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        allow all;
  1. Test Configuration file to make sure there are no errors.
    sudo nginx -t
  2. Reload nginx with new configuration
    sudo systemctl reload nginx

6. Test Gateway

If everything is configured correctly your IPFS node should be running and your node setup as a full public gateway. A user could request any available IPFS file.

Replace with your server’s address. This request will go and request the file from the peer network and return a text file containing : “hello world!”
https://<your ip address>/ipfs/QmTp2hEo8eXRp6wg7jXv1BLCMh5a4F3B7buAUZNZUu772j

7. Restrict File access

  1. Configure Gateway to only fetch files that are local to your node.
    ipfs config --json Gateway.NoFetch true
  2. restart IPFS
    sudo systemctl restart ipfs
  3. delete previously fetched files from cache by running garbage collection
    ipfs repo gc
  4. Request remote file again. You should get error message “merkledag: not found”
    http://<your ip address>/ipfs/QmTp2hEo8eXRp6wg7jXv1BLCMh5a4F3B7buAUZNZUu772j
  5. Create and pin local file to your node. The resulting hash will be displayed
    echo "hello friend" | ipfs add
  6. read the contents of the created file
    ipfs cat Qmbi8UxZdPLsnDSuQLDmqoo7kuTgTkVhHMHuQcz9X77Jdq
  7. Request the local file using gateway. You should have access to retrieve this file.
    http://<your ip address>/ipfs/Qmbi8UxZdPLsnDSuQLDmqoo7kuTgTkVhHMHuQcz9X77Jdq